Certified in Risk and Information Systems Control (CRISC) is a fairly new certification exam issued by ISACA. CRISC certified professionals manage organizational risks, associated controls and ensure risk management strategies are aligned to overall business objectives.
I appeared for the exam in June 2014 and was amongst the top scorers in Asia region. Since there isn’t as much guidance about CRISC as about other ISACA certification like CISA & CISM, here is my take on the exam.
About the CRISC Certification
Issued by Information Systems Audit and Control Association (ISACA), CRISC certification is provided to professionals who identify and manage risks through the development, implementation and sustenance of information systems controls.You can learn more about the exam at the official page here.
What does it cover?
ISACA has recently revised CRISC job practice decreasing them to 4 from previous 5 domains. Starting June 2015, the CRISC exam will contain 150 questions (instead of 200) testing these new domains:
- Domain 1—Risk Identification (27%)
- Domain 2—Risk Assessment (28%)
- Domain 3—Risk Response and Mitigation (23%)
- Domain 4—Risk and Control Monitoring and Reporting (22%)
The numbers in brackets indicate the weight-age given to each domain in the exam. The domains are further represented in terms of knowledge statements. While it’s important to understand the knowledge statements and the objective they serve, one doesn’t need to mug them. You can review them here.
How to prepare for the exam?
The CRISC Review Manual 2015 from ISACA is the bible and your sole rescuer for this exam. I couldn’t catch hold of any good material from independent publishers, which re-emphasizes the fact that the exam is still evolving. I’ve not been fortunate enough to get a copy of the 2015 manual with new job practices, but I believe the essence of risk management shall be the same. The manual has plenty of questions for a candidate to practice and get a feel of the real exam. The answers and explanations are also provided. Besides this ISACA also has a CRISC Question & Answer Database and it’s supplement. One can also take a 12 month subscription and access the database via web.
What’s the exam like?
CRISC is a paper based examination. Starting 2015, 150 questions need to be answered in a duration of 4 hours. ISACA uses a 200-800 point scale with 450 as the passing mark for the exam. A scaled score is a conversion of the raw score on an exam to a common scale. I didn’t find any questions straight from the manual. They were more application & experience based in the risk management field.
The exam fee may vary from $440 to $750 based on whether or not you’re an ISACA member. You can start the exam registration process from here. Same goes with the cost of exam preparation material. My personal advice is to go for the membership here. ISACA has ton loads of wonderful materials, all free to members. In the unfortunate event of failing the exam, you need to pay the exam fee again to retake it. You can read more about the examination process here.
Post exam jitters
I personally felt devastated after the exam as I wasn’t sure about most of the questions I answered. This was unlike ISACA’s CISA exam, where I was pretty confident about my answers. Earnestly hoping to pass by a miracle, I stepped out of the exam hall and found others to be in the same boat.
Once you’ve given the CRISC examination, you’ll have to wait for 8 weeks to know the results. Therefore, by the time results are announced you would’ve probably moved on.
What’s next after clearing the exam?
- 3 years of professional experience in at least two of the four new domains; 1 year of experience focused on Domain 1 or 2
- Adherence to the ISACA Code of Professional Ethics
- Comply with the CRISC Continuing Professional Education (CPE) Policy
Once you’ve cleared the exam, ISACA requires you to fill a CRISC Application for Certification. In this application you’ll need to list at least three years of cumulative work experience in at least three CRISC domains. Candidates who do not meet the experience requirements have five years, from the date of clearing the exam, to gain the relevant experience.
In order to maintain the certification certification holders must earn and submit certain number of CPE points annually and every three years. In addition to CPEs, Annual Maintenance Fees also needs to paid annually. Learn more about the credential maintenance requirements here.
I often get questions like strategy adopted to prepare for the exam or a sure shot way to clear it. Believe me it totally depends upon individual strengths and weaknesses. So, the best way is to realize what you can leverage upon and what needs to be improved. At the end of day, it’s an exam!
If I have left out anything or if readers have any additional queries please leave them in the comments below. Please note that questions regarding sharing and distribution of pre-owned material will not be entertained as it amounts to piracy.
Neha Chandra, CISSP, RSA – Archer Administrator, ITIL v2 Foundation, PRINCE2 Foundation, Information Security & Privacy Consultant at IBM, is a recent Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) exam passer and is preparing to pursue the Certified Information Security Manager (CISM) certification in the future.